Blacklist IP database
Hi, Is there an open database of blacklisted IP for the Web? With a lot of public web proxy you know... such the blacklist used by the Global blocking of Wikipedia. Thanks in advance. ...
security
How secure is a security salt in an iPhone app?
I want to prevent users tampering with the the data generated in my iPhone app, such as high scores. So I'm thinking of using an MD5 hash of the relevant data, and a security salt hard coded into the app. When the data is read back in, I create a new hash and compare it to the old hash. If there's a difference, I know someone has been fi...
Automating Clickonce deployment with security ( certificates etc. ) such that client installs the application without any prompt.
Hi, I just read this --> Configuring ClickOnce Trusted Publishers and got it running at another computer on network. I deployed the application on network itself (i.e. \\abc\something ). Though I could not find certmgr.exe as part of Windows core component, as the article says ( ..so you will need to use the certificate management c...
Techniques to reduce data harvesting from AJAX/JSON services.
I was wondering if anyone had come across any techniques to reduce the chances of data exposed through JSON type services on the server (intended to supply AJAX functions) from being harvested by external agents. It seems to me that the problem is not so difficult if you had say a Flash client consuming the data. Then you could send en...
Credit card purchase of physical goods via an iPhone application
I'd like to add a means for users do make payments for physical goods using credit cards via an iPhone application. Are there any guidelines regarding such functionality in iPhone apps? I'm mostly thinking of Apple's opinions on this. Clearly, such data would have to be submitted securely but must this be done within Safari? If not, the...
File Upload / Memory Stream Security
Hi, We are thinking of have a form on our webpage that would allow people to email attachments through. The method used to do this is via a memory stream, avoiding any files being written on to the actual server. Is anyone aware of any security risks / how to protect yourself against these? I would love to hear from you. Best regard...
Looking for a simple, secure session design with servlets and JSP
I'm working on an intranet-only web application (J2EE) that requires some basic security features. There will be relatively few authorized users for the site, but I still need to implement some sort of secure session. The basic flow I'm looking at is visit site => log in => use site => log out when done (or automatically log out when th...
Pass data from page to page safely
I am looking forward for a method to pass data from page to page safely and avoid as It's possible the tampering. The best way to solve it, is to save the sensitive data on db server. Or using session persist on db server. Or whatever method that persists data on db server. The fact is because of performance I wouldn't like to use ...
Best practice to send secure information over e-mail?
I have to send sensitive information (name, address, social security number etc.) collected from a website, that has been entered by a user, to an e-mail address. What is the best course of action to make the information secure and easy to extract on the receiver side? Edit: I will be using ASP.NET for the website, not sure what it ha...
Security of clearing down cookies in IE
Hi, I've been asked to analyse an old web app which stores sensitive information in cookies rather than sessions/similar. (To be precise, it's classic ASP and uses cookie families). The only clients are IE 6/7/8 After the process in question has been completed on the web app, the cookies are cleared down. The question I need to answer...
ASP.Net Security By Route
I'm working with ASP.Net Dynamic Data and I have a section in my web.config like this: <location path="Foo/List.aspx"> <system.web> <authorization> <allow roles="The Name of Some Role"/> <deny users="*"/> </authorization> </system.web> </location> This works fine for restricting access to that path, however lat...
Why can't I see the "value" column in SYS.EXTENDED_PROPERTIES?
I have some extended property column descriptions in a SQL Server 2008 database, and when I login to management studio and do a simple query: Select * from SYS.EXTENDED_PROPERTIES; I can see all the columns in that table, including the extended property "value" column. When I have an ASP.NET page login to the db, perform that query, ...
xml vulnerabilities and threats in Internet
can anybody give the list of xml vulnerabilities and threats that are possible in Internet? ...
How do you globally modify page output sent from IIS without modifying the page source?
A couple sites of mine recently got "hacked". Someone was able to add a line of JavaScript to the bottom of every page on the site. The server is a Windows Server 2003, and has Cold Fusion 8 and MySQL 5.x installed and running. Looking into the code on each page shows that none of the pages were modified. The JavaScript is not in the ...
WCF authentication "friendly" to non-Microsoft clients?
An exploratory question, here. After some reading, I'm getting a sinking feeling that WCF's authentication options aren't "friendly" to non-Microsoft clients, or require a great deal of effort to implement. I'm building a REST WCF service for which I wanted some kind of simple digest authentication; e.g. I store a username and password...
How does the RSA private key passphrase work under the hood?
RSA private keys may be assigned a "passphrase" which - as I understand it - is intended to provide some secondary security in case someone makes off with the private key file. How is the passphrase layer of security implemented? ...
Password hashing at client browser
What's the best way to hash the user password at the client browser, before sending it to the web server, so that only the hash goes out, not the plain-text password? EDIT: assuming HTTP is used (not HTTPS) ...
Is it possible to have a C# Winform with in-built Anti-Keylogger?
Every security systems have its limits. I understand that hardware key logger cannot be beaten as it is connected to the hardware itself. Also it is not a concern at this point as most of the time it is used by programmers and ethical hackers to log themselves, on top of which most of the time cautious users will be able to visually iden...
retrieval of user-supplied data: any benefit for prepared statements
Prepared statements are good to prevent sql injection when the user supplies data and we use that data for db insertion or just even to structure the query. But is really any benefit to PDO when I'm retrieving previously-inserted user-supplied data from the database? It sounds to me like the answer is no. It's already in. As long as th...
Security in a Rails app - User submitted data
I'm currently in the process of writing my first Rails app. I'm writing a simple blog app that will allow users to comment on posts. I'm pretty new to Rails, so I'm looking for a bit of guidance on how to address security concerns with user input. On the front end, I am using TinyMCE to accept user input. It is my understanding that ...